April 19, 2017

New Mexico Becomes 48th State to Enact Data Breach Notification Law

by the Privacy and Data Security Group

New Mexico recently became the 48th state to enact a data breach notification law. This continues the accelerated pace of state data breach legislative activity in the last two years. Since 2015, at least 41 states have considered legislation relating to data security incidents, and at least 16 states have enacted or amended such laws.

In light of the flurry of recent state legislative activity, any organization that collects or possesses personal information (as variously defined by state laws) should review its information security program, incident response plan, data retention/destruction policies, and third-party vendor agreements to ensure that they comply with New Mexico and other recently enacted laws.

The most significant aspects of New Mexico’s brand new "Data Breach Notification Act" include:

Definition of "Personal Identifying Information" Includes Biometric Data. The law follows a growing state trend by including "biometric data" in its definition of "personal identifying information" (PII). "Biometric data" is defined as "a record generated by automatic measurements of an identified individual's fingerprints, voiceprint, iris or retina patterns, facial characteristics, or hand geometry that is used to uniquely and durably authenticate an individual's identity when the individual accesses a physical location, device, system, or account." New Mexico's PII definition is otherwise fairly conservative. It excludes personal data that is encrypted, redacted, or "otherwise rendered unreadable or unusable." It also does not include personal health information.

Breach Notification Requirements Include 45-Day Notice Deadline. The law requires any "person that owns or licenses elements that include personal identifying information of a New Mexico resident" to provide notification to each resident in the event that the PII "is reasonably believed to have been subject to a security breach." Notification also must be provided to the Attorney General and major consumer reporting agencies for any breach requiring notification of more than 1,000 New Mexico residents.

"Security breach" is defined as the acquisition of—but not mere access to—unencrypted computerized data or encrypted data if the encryption key is also acquired. The law requires that notice be provided within 45 calendar days after discovery of the breach unless:

the person determines that the security breach "does not give rise to a significant risk of identity theft or fraud;"

the person is subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996; or

a delay is necessary to allow a criminal investigation to proceed or to determine the scope of the breach and restore and secure the data system.

The law also specifies the required content of any notification.

PII Must Be Disposed of Properly. The law provides that records containing PII of New Mexico residents must be disposed of when they are no longer needed for a business purpose and in such a manner as to make the PII unreadable or undecipherable. Entities that are subject to the law should ensure that they have data retention and destruction policies that comply with this requirement.

"Reasonable" Security Measures Must Be Implemented. Entities that own or license PII of New Mexico residents are required to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information" to protect the PII from "unauthorized access, destruction, use, modification or disclosure." The law does not define what constitutes "reasonable" security measures. To comply with this provision, entities should start by conducting a risk assessment and implementing an information security program based on the assessment's findings, applicable or analogous law, and industry best practices.

Contracts with Service Providers Receiving PII Must Require Them to Implement Reasonable Security Measures. New Mexico's law adds to the growing list of states that require entities that disclose PII to service providers to contractually require those service providers to implement and maintain reasonable security procedures and practices. The law defines service provider as "any person that receives, stores, maintains, licenses, processes, or otherwise is permitted access" to PII through its provision of services. Such service providers are also required to notify contractual partners of any “security breach” in the manner specified by the law. This "pass through" requirement should trigger entities to revise applicable contracts to include data security and breach notification language.

Civil Enforcement and Penalties. The New Mexico Attorney General may bring a civil action on behalf of individuals and the State for violations of the statute. Although no private right of action is authorized, the Attorney General may obtain injunctive relief and "damages for actual costs or losses, including consequential financial losses." For knowing and reckless violations, the court also may impose a civil penalty of "the greater of" $25,000 or $10 per instance of failed notification, up to a maximum of $150,000.

Members of Ballard Spahr's Privacy and Data Security Group regularly assist clients with complying with data security and breach notification laws. Our cross-disciplinary team provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.